Validates the HSM environment and configuration.

This command provides diagnostic information to help the Database Administrator manage OpenEdge interactions between TDE and HSM. The utility:
  • Checks accessibility of a local or remote HSM, including the dynamic library versioning.
  • Validates OpenEdge TDE configuration information for HSM interactions, including keystore compatibility and versioning and security policy configuration.

Syntax

proutil [ db-name ] -C hsmvalidate [ db |
  hsm  -HSMLibrary library-path [ -HSMSlotID slot-number ] [ -HSMLabel label_name ]]
  [-verbose ]
     

Parameters

db-name
Specifies the name of the database to use for validation.
db
Uses database information for validation instead of HSM.
hsm
Uses HSM information for validation and ignores database information.
-HSMLibrary library-path

Specifies the location of the library, which must be an absolute path. If you specify a relative path, the validate HSM operation converts it to an absolute path, and you must confirm the location about to be stored. This library is loaded at runtime and must be secured by the server administrator. For OpenEdge Replication, this location must be the same for the source and target machines because this record is replicated. Symlinks are disallowed.

The location of the library in the database is controlled by EnableHSM, a PROUTIL EPOLICY MANAGE option that requires the TDE Admin passphrase to operate.

-HSMSlotID slot-number
Specifies the numeric ID of the HSM device token as seen by the server HSM client library. The Slot ID is used to locate and connect to a specific HSM device token on the server.
-HSMLabel label-name
Specifies an HSM Admin assigned tag in the HSM device token. This token is unique among all HSM tokens and can be used to locate and connect to your database’s assigned HSM token instead of using an HSM Slot ID. This label must be retrievable at all times to open the keystore.
-verbose
Provides details about the configuration.

Notes

  • When using HSMVALIDATE, you must provide appropriate authentication and handle user input in accordance with security protocols.
  • HSMVALIDATE identifies where the configuration is incomplete, but does not fix the issues found. To correct issues, use HSM utilities provided by the HSM vendor and TDE utilities.
  • HSMVALIDATE will not alter the state of a replication target or hot standby when operating on either.